SAP Cyber Threat Intelligence report – December 2018

The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.

Key takeaways

The recent SAP patch update consists of 17 patches with the majority of them rated medium.

The most common vulnerability type is Implementation Flaw.

SAP NetWeaver ABAP platform has 41% of all vulnerabilities fixed this month.

Two of the bugs are Hot News with the highest CVSS base score of 9.8 and 9.3.

This set of SAP security notes is the last for 2018 with the average number of fixes slightly decreased to 244.

SAP Security Notes – December 2018

SAP has released the monthly critical patch update for December 2018. This patch update closes 17 SAP Security Notes (9 SAP Patch Day Notes and 8 Support Package Notes ). 6 of the patches are updates to previously released Security Notes.

Below is a chart illustrating the SAP security notes distribution by priority.

SAP Security Notes Distribution by Priority (July – December 2018)

This month, Implementation Flaw is the largest group in terms of the number of vulnerabilities.

SAP Security Notes Distribution by Vulnerability Type – December 2018

In December, 28% of all vulnerabilities belong to the SAP NetWeaver ABAP platform, as a pie chart shows:

Affected Platforms – December 2018

Critical issues closed by SAP Security Notes in December

The following SAP Security Notes can patch the most severe vulnerabilities of this update :

2711425: SAP Hybris Commerce storefronts has a Cross-Site Scripting vulnerability (CVSS Base Score: 9.3CVE-2018-2505). An attacker can use Cross-site scripting vulnerability for injecting a malicious script into a page.
Reflected XSS feature is necessity of tricking a user from an attackers’ side – he must make user to use specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions.
The malicious script can access to all cookies, session tokens and other critical information stored by browser and used for interaction with a site. An attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also XSS can be used for unauthorized modifying of displayed site content.
Install this SAP Security Note to prevent the risks.

2658279: SAP Java keystore service has Implementation flaw vulnerability (CVSS Base Score: 7.4CVE- 2018-2503)
Depending on the problem, an implementation flaw can cause unpredictable behaviour of a system, troubles with stability and safety. Patches solve configuration errors, add new functionality and increase system stability.
Install this SAP Security Note to prevent the risks.

2642680: SAP NetWeaver AS Java has XML external entity (XXE) vulnerability (CVSS Base Score: 7.1CVE- 2018-2485)
An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem.
Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP Vulnerabilities of 2018 in review

244 security updates released in 2018 in total. This number has declined approximately by 21% in comparison with the previous year. The average number of monthly SAP Security Notes for 2018 is nearly 20 while it was equal to 26 in 2017 and 22 in 2016.

The number of fixes rose up sharply in 2010 but then fell in 2011 and 2012. The decline led to a further sharp drop in 2013. The following years experienced slight fluctuations and then a gradual fall.

SAP Security Notes by Year (2008-2018)

Both Missing Authorization Check (44) and Implementation Flaw (also 44) are the most common types for 2018. Medium priority vulnerabilities still form the largest part of the overall number.

SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.